178
Bullying in Open Source Software Is a Massive Security Vulnerability (www.404media.co)
submitted 5 months ago by toaster@slrpnk.net to c/opensource@lemmy.ml
38 comments fedilink hide all child comments
all 39 comments
sorted by: hot top controversial new old
[-] magic_lobster_party@kbin.run 38 points 5 months ago

Closed source projects are also subject to bullying.

Project managers pressuring developers to implement half assed features in an afternoon because sales sold a feature that doesn’t exist and have signed a deal to have it delivered tomorrow morning. Who has time to review the code and ensure there are no SQL injection vulnerabilities? Just push it!

[-] toaster@slrpnk.net 13 points 5 months ago

Absolutely. In my experience I've felt more pressure to merge in closed source than open source since the bully is those above you in a hierarchy with business interests who are also paying your bills.

[-] floofloof@lemmy.ca 29 points 5 months ago* (last edited 5 months ago)

Three years ago, #FDroid had a similar kind of attempt as the #xz #backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection #vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now

https://social.librem.one/@eighthave/112194828562355097

Steiner wrote this week that the original coder deleted their account as soon as F-Droid’s maintainers attempted to review the code, and that he thinks that the user’s behavior, as well as “all the attention from random new accounts” has led him to believe “it could be a deliberate attempt to insert the vuln.”

This is pretty significant: the first documented case of these tactics being used to insert a vulnerability, apart from xz. So probably the same actors have been trying this on multiple projects.

I hope other maintainers who have experienced similar pressure tactics will come forward, even if they're not aware of any backdoors. For any project where this has taken place and the code was merged, the code and commit history needs to be audited.

[-] rollingflower@lemmy.kde.social 19 points 5 months ago* (last edited 5 months ago)

Thats like "child labor is bad because they cant do high quality work".

Bullying is bad. Period.

[-] JoBo@feddit.uk 8 points 5 months ago

You're nitpicking the headline while agreeing with the article.

“What is striking is that the uncool, mean standards of FOSS conduct that many of us have decried for years, and that many defended as authentic, tough, etc., ended up not just being exclusionary loser behavior, but a significant attack surface.”

[-] toaster@slrpnk.net 2 points 5 months ago

I fail to see the comparison at all.

[-] thingsiplay@beehaw.org 13 points 5 months ago

Bullying in Closed Source Software is also bad. Off course in Open Source more people have the ability to do this, compared to a more controlled environment like Closed Source. What do we learn from the mistakes described in the article? Don't close your eyes, watch and don't trust untrusted people. If someone starts bullying or is toxic, take that as an attack and warn them to get banned. It's like saying bullying under politicians is bad. Yes it is. And we should not allow that. But that does not mean we should stop using or developing Open Source (or stop electing).

If people are really unhappy with the direction of the project and if they want to push specific updates they want see, they should just fork it and do whatever they want. And if it works, it can still be integrated into the "main app".

[-] toaster@slrpnk.net 3 points 5 months ago* (last edited 5 months ago)

One of the takeaways Imo is to consider bullies as potential security threats especially when they're pushing to merge code. And for both developers and non-developers alike, to try to foster a culture of respect and avoid entitlement in git issues. Call it out when you see it and don't dogpile.

[-] Aquila@sh.itjust.works 10 points 5 months ago

People will always be a vulnerability. That goes for physical security too.

[-] nutomic@lemmy.ml 10 points 5 months ago* (last edited 5 months ago)

Im a former contributor to F-Droid with various merged pull requests. Looking at the indicated pull request I really doubt that it was an intentional attack. First of all its easy to forget for a new developer to escape SQL parameters, and the docs dont even mention a risk of SQL injection attacks. And of the users pushing for the PR to be merged, one is a long-time F-Droid contributor, and the other also looks like a real human with many contributions in other repos, so no sockpuppets in sight.

It simply looks like standard open source behaviour, for better or for worse. A new user makes a contribution for a highly demanded feature, and users want it to get merged as soon as possible. Maintainers are discussing the big picture of the change and want to avoid breaking changes, without getting into code review yet. The new contributor seems unwilling to make any design changes to his PR, and gets frustrated that it doesnt get merged as is. The potential vulnerability is only noticed half a year after the PR was opened, at which point it was already de facto abandoned. So not an attack, but simply a developer who is new to open source and doesnt understand how the process works.

[-] ThetaDev@lemmy.dbzer0.com 2 points 5 months ago

Plus how would you want to exploit a F-Droid SQL injection vulnerability in the search bar?

AFAIK you cannot trigger searches using URLs, so the user would have to type/paste the SQL into the search field themselves to mess up their database.

[-] nutomic@lemmy.ml 3 points 5 months ago

One of the comments mentions that another app can trigger search through an Android intent. So its better to be safe and close any potential vulnerabilities, but this doesnt seem particularly useful for an attacker.

[-] toaster@slrpnk.net 2 points 5 months ago

This makes more sense imo, thanks for sharing your experience (and your Lemmy development :))

[-] onlinepersona@programming.dev 9 points 5 months ago

This is why I dislike people badgering the Lemmy devs for whatever they feel is currently important to them. "Ermagerd, it's GDPR violation!!!1!!!1!!111". Or people flaming the developer(s) of Mastodon for not implementing quoting "Twitter has it, so you must implement it for people coming from Twitter!". And so on and so forth.

We should all be doing what we can to help opensource developers and that also means calling out shitty behavior from its users or external contributors towards maintainers. Maintainers aren't messiahs and just humans too, so them being cunts isn't nice either (obviously), but I have much more understanding for their behavior sometimes. Especially when hundreds of entitled keyboard warriors attack maintainers and write blog articles about them (like wedistribute.org) demanding stuff be done their way.

Maintainers also need better tools and features from giants like github to shutdown annoying users on their projects. Github's "social" features need a lot of work. It's not possible to have moderators (human or automatic provided by the platform) for projects for example. Instead maintainers have to read all the bullshit demands people have expressed with no filter.

When the maintainer of actix stepped down due to harrassment by rust purists (he used the unsafe keyword) and there was an outpour of support, it felt so ridiculously fake. It had been going on for a while and there were reddit threads, blog posts, tweets, and other cries on social media by the purists that amounted to harrassment, but only when the maintainer stepped down did people affected react.

I'm by far no angel, but at least my claim to fame isn't abusing maintainers enough for them to quit.

CC BY-NC-SA 4.0

[-] magic_lobster_party@kbin.run 5 points 5 months ago

At least with Lemmy and Kbin, if you have a feature you want to have implemented you always have the option to fork and host your own instance. Maybe not ideal for everyone, but the option is there.

This has happened to Kbin with the fork Mbin due to inactivity from the main Kbin maintainer. It’s not ideal that a project goes stale, but life happens and we must respect that.

[-] delirious_owl@discuss.online 2 points 5 months ago* (last edited 5 months ago)

what? The community finds issues like the XZ one, and the devs say they won't be able to fix it because they have less important things to work on instead.

Its not bullying the devs to point out to them the massive GDPR violations of their software and to give them hell for sweeping it under the rug and literally say they won't do anything to fix it.

I believe this is the article you refer to

https://wedistribute.org/2024/03/lemmy-image-problem/

Its pretty spot-on.

[-] onlinepersona@programming.dev 5 points 5 months ago

Its not bullying the devs to point out to them the massive GDPR violations of their software and to give them hell for sweeping it under the rug and literally say they won’t do anything to fix it.

It is. The data is in the DB and filesystem and can be manually removed. Having a button that does it is a convenience. It's the instance operator who will be in trouble if they don't. The code is provided with a license that literally says

THERE IS NO WARRANTY FOR THE PROGRAM

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES

You are using it and/or hosting it at your own peril.

And the devs said this

So there is no legal nor moral responsibility to implement any features that you personally want. However you are free to:

  • Implement the feature yourself
  • Pay someone else to implement it
  • Stop using Lemmy and use one of countless alternative platforms instead

Then the fediverse erupted and made blog posts, toots, @'ed the devs directly, etc.

Also Open Source Maintainers Owe You Nothing. Interalise that. They owe use fucking nothing - except maybe the respect we show them and if none is shown, they don't owe any respect back.

Anti Commercial AI thingyCC BY-NC-SA 4.0

[-] delirious_owl@discuss.online 1 points 5 months ago

This is literally the same argument that reddit took.

[-] 2xsaiko@discuss.tchncs.de 3 points 5 months ago

This argument would be no use to reddit since they are the "instance operator" in that case.

[-] rollingflower@lemmy.kde.social 6 points 5 months ago

If something is free Software, there is no supply chain. There is no security and no guarantees. For sure all these volunteers are mostly trying to deliver a good product, but they are offering free labor.

Saying "bullying is bad for the outcome of the product" is kinda ironic, as "not paying these devs" also is bad. This is just the extreme form

[-] magic_lobster_party@kbin.run 6 points 5 months ago

This person has never worked in a company where customer service has full access to user’s passwords because no one bothered to hash them.

[-] delirious_owl@discuss.online 3 points 5 months ago

What? Its literally a transparent supply chain, and therefore much safer than the supply chain of non-free software.

[-] Danterious@lemmy.dbzer0.com 6 points 5 months ago

So what is the the solution then? What kind of culture would be more operationally secure?

[-] harfee@lemmygrad.ml 19 points 5 months ago

I think the article was pretty clear that (1) companies that use open source projects to make money should be contributing financially to them, and (2) users and contributors need to stop feeling entitled to maintainers' unpaid labor and time. Mostly 2 because it's a security risk AND a shitty way to treat people who are making something free for you.

[-] livus@kbin.social 3 points 5 months ago

users and contributors need to stop feeling entitled to maintainers’ unpaid labor and time

And the rest of us need to stand up for maintainers against bullies.

[-] pop@lemmy.ml 3 points 5 months ago

Honestly, in medium to big projects, 2 seems like mostly astroturfing from companies who really want to hide the fact that they benefit financially but use alt accounts to push toxic bullying like "you're not following opensource principle, not foss this, not foss that, you do this or we're going to make a scene" when maintainers try to get any semblance of authority over their own projects.

[-] pmk 10 points 5 months ago

Maybe some inspiration from how OpenBSD handles users requesting features.
"No one deserves anything from us. /../ The developers in this project do the best they can"
or
"If you expected any of us to reply as if we are contractors or your employees, you came to the wrong place."

[-] toaster@slrpnk.net 4 points 5 months ago

Community guidelines in a readme would be a good start. Also, educating those opening new git issues since I often see entitled and vitriolic demands from non-devs who do not understand what FOSS is (although I understand that this isn't the only bully archetype).

[-] delirious_owl@discuss.online 0 points 5 months ago

Submitig bug reports is a contribution, not bullying. Some devs see reporting a bug as a bad thing. Thats toxic.

[-] Star@sh.itjust.works 2 points 5 months ago

Of course, but you missed part of the point. Open source devs are providing code for free, the least the user can do is provide bug reports without rude language/demands.

[-] delirious_owl@discuss.online 1 points 5 months ago* (last edited 5 months ago)

I agree. But that goes both ways. Devs shouldn't be rude to contributors of bug reports. And the Lemmy devs have been real assholes to most of their contributos.

Theres a reason they have this reputation.

[-] Dymonika@beehaw.org 2 points 5 months ago

Probably some sort of mix, like federated or crowd-sourcing, but either simply means more maintainers/supervisors.

[-] xilliah@beehaw.org 5 points 5 months ago

My hair stood up straight due to an ad on that website playing music.. A blast from the past!

[-] vintageballs@feddit.de 1 points 5 months ago* (last edited 5 months ago)

What browser and ad blocker are you using that you're getting ads and autoplay isn't blocked?

[-] xilliah@beehaw.org 1 points 5 months ago

Mostly using duck duck go. But am considering Firefox with some addons now.

[-] Auzy@beehaw.org 5 points 5 months ago* (last edited 5 months ago)

I had a project I gave up and dropped because of the general OSS community being crap.

There were a lot of supporters, but got tired of all the wankers I had to defend the project from. It simply wasn't worth it when I was putting in so much time for free

So, I agree entirely.

It's not everyone, but we do have a lot of donkeys out there honestly, and i suspect it has a bigger impact on the development community than we know

[-] haui_lemmy@lemmy.giftedmc.com 2 points 5 months ago

The issue is, as always, the non donkeys not calling out the donkeys.

If you see someone bullying someone else, online of offline, you intervene. Thats basic decency and everyone who doesnt do that is part of the problem.

Someone calling a person names, trolling them or otherwise being an ass should be met with a wall of reports and differing opinions.

Bullying others is only fun if you can do so uninterrupted. More compassion, folks.

this post was submitted on 04 Apr 2024
178 points (96.4% liked)

Open Source

29787 readers
44 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
Cloak@lemmy.ml
kevincox@lemmy.ml
CrypticCoffee@lemmy.ml
Lettuceeatlettuce@lemmy.ml